1 person found this helpful
Depending on the browser and how it is set up, the odds are very good that you will not have distinct session identifiers. You can get the sort of behavior ... well, that you get from this very forum system!
Try selecting two different threads and right-clicking on them to open each of them in two separate windows. What do you actually get? You get the one most-recent thread, because Adobe's forum software is heavily based on cookies. Browsers typically treat all of the windows that they open as belonging to the one application-instance that has opened them all.
There are ways around this, but quite frankly, I don't feel too fuzzy about them.
There are a couple of ways you could do this:
- Either you pass the CFID and CFTOKEN around in the URL instead of the cookie and specify the "client" instance in the CLIENT or SESSION scope. I would NOT, recommend this method as it makes hijacking sessions so so so much easier.
- Keep the CFID and CFTOKEN in the cookie were they belong. Pass around a variable in the URL specifying the client instance. Then you should also encrypt the variable or pass around a hash with it. (hash it and use the CFID and a secret key as the salt)
Thank you both for your answers.
1 person found this helpful
You could accomplish the "session distinguishing" requirement with a hidden field-value, and/or a token that is added as-needed to the generated URLs in your various pages. This token needs to be (a) pure-random (such as a "unique identifier"), and (b) known to the host (as part of the Session data) and constantly verified by that host.
When a request comes in, then, first of all ColdFusion will know that the session-id is "good" and will have retrieved the necessary values for you. Then, each request or URL will contain one of these random tokens ... which must be "on the list." Only the server possesses the master list of token values.
If you use a unique-id (e.g.) as your source of values, then you know that it will never be repeated nor can it be guessed. Since the master list is associated with the session and will survive only as long as the session does, there is no avenue for entry.
(Obviously, you should already be using all of ColdFusion's built-in spoof-prevention features...)
By using CFID and CFTOKEN in Application.cfm, when user open individual browser windows, everything works fine. Because each browser window has its own ID and Token. But when you are using ie7+ and trying to open and new tab from an existing window, then the situation you described in your first reply happens. Because the same ID and Token is inherited.
What you describe seems logical sound. Is it possible give some details as to where and how to implement? A simple example may help better.
Actually I thought of a way you could do this without special codes you have to track.
All you have todo is manually set path cookie values for CFID and CFTOKEN, and use URL rewriting (mod_rewrite for apache, or isapi rewrite for iis).
In your cfapplication tag you can disable the automatic creation of the cookie values for CFID and CFTOKEN:
<cfapplication setclientcookies="no" ......
Then create the cookies with something like this (this example assume clientmanagement is being used):
<cfif not IsDefined("Cookie.CFID") or Cookie.CFID eq "">
<cfheader name="Set-Cookie" value="CFID=#client.CFID#;HTTPOnly;path=/clientXXX/">
<cfheader name="Set-Cookie" value="CFTOKEN=#client.CFTOKEN#;HTTPOnly;path=/clientXXX/">
clientXXX different for every different client instance you like. Then all you need is a super simple URL rewrite removing the clientXXX part.
So the browers url might look like: http://www.yousite.com/clientXXX/index.cfm, the server will actually serve the request from http://www.yousite.com/index.cfm. But the cookie will be set for www.yousite.com/clientXXX and not www.yousite.com
Thanks for your response.
It makes sense. But there is question though. ClientXXX is supposed to be dynamic based on user's choice, should I set a default for the first time before user make the selection?so that when user choose will have it reset. Is that the logic. Thanks.
There is really no need or requirement, its more how you would like your site to behave. You could set a default like this:
Use the default page for the site, say index.cfm as a redirect page and nothing else.
So it generates some random string, like XYZ, and then redirects to http://www.yousite.com/XYZ/index2.cfm
index2.cfm is actually the main page for your app also in the root folder, and the folder XYZ doesn't really exist.
......or you could use the default page like above as the opurtunity for the user specify this "random" string. You could just say there can be at most three different sessions or client types, and just use a pull down select box with the options Client A, B and C. Then redirecting to perhaps, http://www.yousite.com/clientA/index2.cfm
Many many ways to skin a cat, the question is what way? I hope this gives you some ideas.